News, tips, advice, support for Windows, Office, PCs & more
Home icon Home icon Home icon Email icon RSS icon

We're community supported and proud of it!

  • MS-DEFCON 4: All clear for consumers, less so for businesses

    Posted on August 25th, 2021 at 02:45 Comment on the AskWoody Lounge
    AskWoody Plus Alert Logo
    ISSUE 18.32.1 • 2021-08-25

    MS-DEFCON 4

    By Susan Bradley

    This month has been a bit bumpy for business users needing to print.

    This month’s change to a technology called “Point and Print” has triggered side effects for information technology professionals who deployed workstations without administrator rights.

    Although I’m reluctantly recommending installing these updates, because you need to be protected from all the other vulnerabilities this month, I must acknowledge that even after you patch, you still won’t be protected from printer vulnerabilities. There is yet another Print Spooler issue out there. Right now, the only way you can protect yourself from the remote Print Spooler attack described by CVE-2021-36958 is to keep your Print Spooler service disabled unless it is absolutely needed.

    Consumer and home users

    Install the August updates. In a change to my past update recommendations regarding .NET, I now recommend installing the .NET updates as well. For the last year, I’ve not experienced any side effects with the nonsecurity .NET updates and feel confident about their safety.

    I’ve also not been tracking any side effects with Chromebook 92 after its release on August 2. Unlike last month, there’s been no need to roll back this version.

    Business users

    For those of you in charge of business patching, there’s no good resolution for the side effects of the August updates, not to mention the risks of the unpatched Print Spooler vulnerability. If you deploy print drivers using group policy and your users do not have administrator rights, they are being prompted to install a printer-driver update even though the printer driver has not changed — the only thing that has occurred is that the patch was installed. You can deploy a registry key to

    HKLM\Software\Policies\Microsoft\Windows NT\Printers\PointAndPrint

    with the name RestrictDriverInstallationToAdministrators and a DWord value of 0, but unfortunately, this opens up your workstations to attack. It’s not a good solution.

    The root cause appears to be v3 versions of printer drivers. In the short term, I recommend several possible solutions.

    • Temporarily allow administrator rights via group policy to allow your end users to install the updated print driver, and then revert them back to non administrator rights.
    • Use the registry key workaround (above) that will allow printer drivers to be installed, with full knowledge that this opens your machine up to attack.
    • Review the printer drivers you have installed and ensure that they are v4 and not earlier versions.

    References

    Read the full story in the AskWoody Plus Alert 18.32.1 (2021-08-25).